I appreciate all the good advice put forward here. I just want to recapitulate what my issue was from the beginning.
I needed means to collect web access data for a particular user. Not keylogging, screen dumps, or that sort, as it's far too intrusive. Just record web access, mainly URLs. I could probably have set up a transparent proxy server, but that's using nukes for picking off a few pigeons. I have managed to collect sufficient evidence to present a good case, anyway.
Particularly thanks to Tom, for reminding me about documenting everything. The fewer holes in the tapestry, the better. It will be ugly. Thanks to other colleagues for pointing out the possibility to use different means to lock down USB drives. That will be implemented promptly. I will probably implement some more permanent web monitoring to detect abuse at an early stage, before it gets out of hand.
I wish everybody a nice spring